Data Processing Agreement

1. Definitions

“Personal Data” means any information relating to an identified or identifiable individual, as defined under applicable Data Protection Laws (GDPR, Australian Privacy Act 1988, CCPA/CPRA, POPIA, or equivalent).

“Processing” means any operation performed on Personal Data, including collection, storage, hashing, transmission, analysis, and deletion.

“Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

“Data Protection Laws” means GDPR (EU), Australian Privacy Act 1988, CCPA/CPRA (California), POPIA (South Africa), PIPEDA (Canada), and any other applicable data protection legislation.

2. Scope of Processing

Briezo processes the following categories of Personal Data on behalf of the Merchant:

3. Processor Obligations

Briezo shall:

1. Process Personal Data only on documented instructions from the Merchant (i.e., the features the Merchant enables in Settings).
2. Ensure all personnel with access to Personal Data are bound by confidentiality obligations.
3. Implement and maintain appropriate technical and organisational measures to protect Personal Data, including:
   • AES-256-GCM encryption of all stored API tokens and credentials
   • SHA-256 hashing of customer PII (email, phone, address) before storage
   • Consent-gated processing (strict mode by default; PII stripped when consent not granted)
   • HTTPS/TLS encryption for all data in transit
   • Infrastructure-level disk encryption via hosting provider
   • Helmet.js security headers including CSP and HSTS
   • Rate limiting on authentication and API endpoints
4. Not engage Sub-processors without prior notification to the Merchant (see Section 5).
5. Assist the Merchant in responding to data subject access requests (DSARs) and exercising data subject rights.
6. Delete or return all Personal Data upon termination of the agreement, at the Merchant's choice.
7. Notify the Merchant without undue delay (and within 72 hours) upon becoming aware of a Personal Data breach.

4. Merchant (Controller) Obligations

The Merchant shall:

1. Ensure a lawful basis exists for the processing of customer Personal Data (e.g., legitimate interest for server-side conversion tracking, consent where required).
2. Maintain an appropriate privacy policy on their storefront that discloses the use of third-party analytics and server-side event processing.
3. Configure consent mode settings in Briezo to match their jurisdiction's requirements.
4. Not submit special category data (health, biometric, political, religious data) to Briezo unless explicitly agreed in writing.

5. Sub-processors

Briezo uses the following Sub-processors to deliver its services:

Briezo will notify the Merchant at least 14 days in advance of adding or replacing a Sub-processor. The Merchant may object within that period. If the objection cannot be resolved, the Merchant may terminate the agreement.

6. International Data Transfers

Where Personal Data is transferred outside the Merchant's jurisdiction, Briezo ensures appropriate safeguards are in place:

• EU/EEA to US: EU-US Data Privacy Framework (where applicable) or Standard Contractual Clauses (SCCs).
• Australia: Compliant with Australian Privacy Principle 8 — reasonable steps to ensure overseas recipients handle data consistently with the APPs.
• Other jurisdictions: Appropriate safeguards as required by the applicable Data Protection Laws.

7. Security Measures

Briezo implements the following security measures:

• Encryption at rest: API tokens encrypted with AES-256-GCM; database disk encryption via infrastructure provider.
• Encryption in transit: All connections over HTTPS/TLS 1.2+.
• PII minimisation: Customer identifiers hashed with SHA-256 at ingestion. Plain email retained only where operationally required (Klaviyo sync).
• Access controls: Per-store authentication with ownership validation on every API call. Admin endpoints separately gated.
• Webhook verification: Shopify webhooks verified via HMAC-SHA256 with timing-safe comparison.
• Dependency management: Automated vulnerability scanning; 0 known vulnerabilities as of April 2026.
• Killswitch: Global, per-store, and per-platform emergency stop for all event processing.
• DLQ redaction: Failed event payloads have tokens and PII redacted before dead-letter storage.

8. Data Breach Notification

In the event of a Personal Data breach, Briezo will:

1. Notify the Merchant via email within 72 hours of becoming aware of the breach.
2. Provide details of the nature of the breach, categories of data affected, approximate number of data subjects, and measures taken to mitigate.
3. Cooperate with the Merchant and any supervisory authority in investigating and remediating the breach.

9. Data Deletion and Return

Upon termination of the Merchant's account:

• Briezo will delete all Personal Data within 30 days, unless retention is required by law.
• The Merchant may request a data export (via Settings → Account → Export Data) before account closure.
• Shopify GDPR webhooks (customers/data_request, customers/redact, shop/redact) are processed automatically.

10. Audit Rights

The Merchant (or their appointed auditor) may request information about Briezo's data processing practices to verify compliance with this DPA. Briezo will make available all information reasonably necessary to demonstrate compliance and allow for audits, subject to reasonable notice and confidentiality obligations.

11. Duration and Termination

This DPA is effective for the duration of the Merchant's use of Briezo. It terminates automatically when the Merchant deletes their account. Sections 7 (Security), 8 (Breach Notification), 9 (Deletion), and 10 (Audit) survive termination.

12. Contact

For questions about this DPA or to exercise any rights:

Briezo
ABN 92 611 517 994
Email: hello@briezo.com
Privacy page: /privacy